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Introduction 


1. The Data Protection Act 1998 (the DPA) is based around eight 
principles of ‘good information handling’. These give people 
specific rights in relation to their personal information and place 
certain obligations on those organisations that are responsible 
for processing it 


2. An overview of the main provisions of the DPA can be found in 
The Guide to Data Protection. 


3. This is part of a series of guidance, which goes into more detail 
than the Guide, to help data controllers to fully understand 
their obligations and promote good practice. 


4. This guidance explains what organisations, and individuals who 
process personal data for purposes such as running a business, 
need to consider when they run, contribute to, or download 
personal data from online forums such as social networking 
sites, message boards, or blogs. 


Overview 


The DPA contains an exemption for personal data that is 
processed by an individual for the purposes of their personal, 
family or household affairs. This exemption is often referred to 
as the ‘domestic purposes’ exemption. It will apply whenever an 
individual uses an online forum purely for domestic purposes. 


The domestic purposes exemption does not cover organisational 
use of online forums. Organisations that use social media are 
therefore subject to the DPA in the normal way. 


The exemption also doesn’t apply when individuals process 
personal data for non-domestic purposes. Individuals who use 
social media for purposes such as running a sole trader business 
are subject to the DPA in the usual way. 


When an organisation, or individual acting for non-domestic 
purposes, posts personal data on a social networking site, 
message board or blog, they will need to ensure that they have 
complied with the DPA. The same applies if they download 
personal data from a social networking site and use it for non- 
domestic purposes. 
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e When an organisation, or individual acting for non-domestic 
purposes, runs an online forum they may also have 
responsibilities as data controllers under the DPA. This would 
include a duty to take reasonable steps to check the accuracy of 
any personal data that is posted on their site by third parties. 


e What are considered to be reasonable steps will depend on the 
nature of the site and the extent to which the person or 
organisation running the site takes a role in moderating content. 
We would not consider it reasonable to expect a large social 
networking site to check all posts for accuracy, but we would 
expect it to have measures in place to deal with complaints 
about factually inaccurate postings. 


What the DPA says 


5. There is an exemption in the DPA which means that when 
personal data is processed by an individual for their own 
personal purposes the data protection principles do not apply. 
This exemption is often referred to as the ‘domestic purposes’ 
exemption. 


6. Section 36 states: 


36. Personal data processed by an individual only for the 
purposes of that individual’s personal, family, or household 


affairs (including recreational purposes) are exempt from the 
data protection principles and the provisions of Parts II and 
III. 


7. Section 36 can’t be used by organisations which process 
personal data. This means that organisations that use social 
media or other online forums have responsibilities under the 
DPA: 


e if they post personal data on their own or a third party’s 
website; 


e if they download and use personal data from a third party 
website; 


e if they run a website which allows third parties to add 
comments or posts about living individuals, and they are 
a data controller for the website content. (For more 
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information about data controllers please see The Guide 
to Data Protection) 


The section 36 exemption also doesn’t apply to processing by 
individuals for non-domestic purposes. This means that if an 
individual, such as a sole trader, is using social media to 
process personal data for their business purposes then they will 
also have responsibilities under the DPA. 


Determining whether an online forum is being used for 
non-domestic purposes 


9. 


10. 


11. 


12. 


The section 36 exemption is based on the purposes for which 
the personal data is being processed, not on the nature or 
content of the data itself. It applies whenever someone uses an 
online forum purely in a personal capacity for their own 
domestic or recreational purposes. It doesn't apply when an 
organisation or an individual uses an online forum for 
corporate, business or non-domestic purposes. 


Organisations 


Organisations such as businesses, charities and political parties 
increasingly use social networking sites or other online forums 
for their ordinary corporate or organisational purposes. 
Examples of this include: 


e a business promoting its services by posting customers 
reviews of a product 


e a police force posting pictures of suspects with details of 
their alleged crimes 


e apolitical party carrying out membership recruitment 


e aschool asking its alumni to provide their details for a 
planned reunion 


The domestic purposes exemption cannot apply to the 
processing of personal data done by organisations through 
social networking sites. 


This is still the case even if an organisation gets a member of 
its staff to do the processing for it through their personal 
networking page. This is because the employee is acting on 
behalf of the organisation and the processing is for the 
organisation’s corporate or organisational purposes, not for the 
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13. 


14. 


15. 


16. 


I7. 


18. 


purposes of the employee’s personal, family or household 
affairs. The ICO would consider it poor practice for an 
organisation to encourage or allow employees to use their own 
personal networking pages for corporate purposes. 


If an organisation does decide to use social networking sites 
then it must ensure that it complies with the DPA. For further 
information about what the DPA requires please refer to our 
Guide to data protection. 


Groups of individuals 


The section 36 exemption refers to an individual processing 
personal data for domestic purposes. Sometimes online forums 
can be used or set up by a group of individuals and the 
question is then asked whether the domestic purposes 
exemption can apply in these circumstances. 


The ICO view is that the key issue here remains the purpose 
behind the processing. If you are processing personal data for 
non-domestic purposes then you will be subject to the 
requirements of the DPA regardless of whether you are acting 
as a sole individual, as part of a group of separate individuals, 
or on behalf of a group (such as a club or society) with its own 
separate legal identity. 


In this circumstance, although the capacity in which you are 
acting may affect who is identified as the data controller, and 
whether more than one data controller exists, it doesn’t alter 
the basic premise that you can’t rely on the exemption at 
section 36 of the DPA if the purpose behind your processing is 
not your own personal, family or household affairs. 


This does not mean, however, that the status of the group can 
never be relevant to this issue. In general the more formal and 
the more distinct the group is from its individual members the 

less likely it is that the domestic purposes exemption will apply. 


This is because a more formal group (such as a club or society) 
that exists independently of its individual members, and whose 
membership can change over time, is more likely to process 
personal data for its own distinct purposes rather than for the 
domestic purposes of its individual members. 
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Example 1 


A group of friends who met on holiday set up a social 
networking page to share their photographs and arrange a 
further trip for the following year. 


The purpose of the processing is clearly for the individuals’ 
recreational purposes. In this situation the domestic purposes 
exemption applies. It doesn’t make any difference that more 
than one individual is processing personal data on the same 
subject. 


Example 2 
A chess club sets up a website on which it publishes results of 


the chess matches its members have played in tournaments 
against other clubs. 


Although the members of the club share a recreational 
interest, the personal data is being processed for the distinct 
collective purposes of the club rather than for the domestic 
purposes of its individual members. In this situation the 
section 36 exemption does not apply. 


19. The following questions may help a group of individuals to 
decide whether the exemption applies to them or not, but they 
should not be treated as an exhaustive list: 


e Is the site or networking page commercial? Does it 
generate income through advertising or subscriptions? 
Has it been set up to pursue a professional or commercial 
objective? 


e Is the personal data being processed for the distinct, 
collective purposes of the group, rather than for the 
personal, family or household purposes of its individual 
members? 


e Is the personal data clearly being posted on behalf of an 
organisation? 


e Is the group separately legally constituted in some way? 
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e Is the personal data being posted on behalf of a group 
that is distinct from its members? Would the group 
continue to exist if its membership changed? Does it have 
its own set of rules that exists separately from its 
members? 


20. If the answer to any of the questions above is ‘yes’, then it is 
unlikely that the processing is being done by an individual for 
his or her domestic purposes and it is therefore unlikely that 
the section 36 exemption applies. 


Individuals 


21. The section 36 exemption only applies when an individual is 
processing personal data for their own personal, family or 
household affairs (including recreational purposes). This means 
that even when the processing is clearly done by an individual 
rather than a group or organisation, if the purpose of the 
processing is non-domestic then the exemption won't apply. 
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Example 1 


A sole trader sets up a website to promote their nail bar and 
tanning salon and, with permission, includes reviews from 
named satisfied customers. The purpose behind this 
processing of personal data is clearly commercial rather than 
domestic and the section 36 exemption won't apply. 


Example 2 
A private individual decides to sell off some unwanted gifts 


using an online auction site. They process the personal data of 
prospective buyers who ‘message’ them through the auction 


site. Although the seller might make some money from the 
sale we would distinguish the selling of personal possessions 
from the running of a business, and would accept that this 
processing is purely for domestic purposes. 


Example 3 


A seller runs a business buying goods wholesale and selling 
them on via an online auction site. They retain details of their 
previous and regular customers for marketing and delivery 
purposes. Here, the seller is clearly operating a business and 
processing the personal data in pursuit of a commercial 
(rather than a domestic) objective. The section 36 exemption 
will not apply. 


Personal views 


22. The domestic purposes exemption doesn’t necessarily apply 
whenever a personal view is expressed. For example, online 
versions of daily newspapers often include an ‘opinion’ section 
where a journalist gives their personal view on a matter of 
media interest. What is important here is that although the 
opinion given is a personal opinion, it isn’t being given for a 
domestic or recreational purpose. The journalist is providing 
personal comment for the editorial purposes of the newspaper. 


23. Although the domestic purpose exemption won't apply in this 
circumstance there is another exemption (at section 32 of the 
DPA) which may apply to personal data which is processed for 
the special purpose of journalism, art and literature. For further 
information about this exemption please refer to our guidance 
on data protection and journalism. 
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Example 1 


A company has a website and decides that it will improve 
customer relations and awareness of its products if it sets up a 
social networking account and asks its senior staff to post 
messages commenting on the latest developments within the 
industry. Some of these messages comment on the actions of 
high profile business leaders within the industry. 


In this situation, although senior staff may express a mixture 
of corporate and personal views, the messages aren’t being 
posted for recreational or domestic purposes. They are part of 
the company’s marketing strategy and are being posted for 
corporate purposes. The senior staff members are posting as 
part of their job and section 36 does not apply. 


Example 2 


An employee of the same company has a keen personal 
interest in the industry in which he works. He isn’t asked to 
post messages on behalf of the company but he follows the 
Managing Director’s posts from his home computer and 
Smartphone. He has strong views on the actions of a 
particular figure within the industry, and posts a comment in 
response to one of his Managing Director’s messages on this 
subject. 


Here, the employee is acting purely in a personal capacity. 
Although the subject matter is related to his work he hasn't 
been asked to post messages on behalf of the company and 
he is acting out of his own personal and recreational interest. 
Therefore section 36 applies. 


Using social media for both domestic and non-domestic 
purposes 


24. The examples given above all consider situations where there is 
one clear purpose for using an online forum. In reality some 
users of social media do so for mixed purposes. For example, 
many people in the public eye have social media accounts that 
they use both for personal, family and recreational purpose and 
to promote their business interests by raising their public 
profile. 
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25. 


We recognise that this is a difficult area. One very 
straightforward solution for people in this situation is to keep 
their personal and non-personal affairs apart by having 
separate online profiles for their work and personal lives. We 
appreciate that not everyone will want to do this and it will be a 
matter of personal choice for the individual. Ultimately 
however, if an individual chooses to use social networking sites 
for mixed purposes then they need to make sure that any posts 
that that aren't made for purely domestic or recreational 
purposes comply with the DPA. 


Running an online forum or social networking site 


26. 


2f: 


28. 


29. 


Establishing the extent to which the person or 
organisation running the site is a data controller 


The first issue a person or organisation that runs a social 
networking site or other online forum needs to consider is the 
extent to which they are a data controller. 


The DPA states that 


1. Data controller means, subject to subsection (4), a person 
who (either alone or jointly or in common with other 


persons) determines the purposes for which and the 
manner in which any personal data are to be, processed 


In relation to any contact information, or other personal data 
that the site operator processes about its own users or 
subscribers, it will clearly be a data controller and will need to 
comply with the DPA. 


In relation to any personal data that is posted on its site by 
third party subscribers the issue is less clear cut. 
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In The Law Society and Others v Rick Kordowski (Solicitors 
from Hell) [2011] EWHC 3185 (QB) Mr Kordowski set up and 
ran a website on which members of the public were invited, to 
‘name and shame’ ` Solicitors from Hell’. He moderated posts 
and charged for fee for adding or removing them. 


Mr Justice Tugendhat had no hesitation in accepting that Mr 
Kordowski was a data controller under the DPA and this was 
not disputed by any party. It was clear in the circumstances 
that Mr Kordowski decided the purposes and manner in which 
the personal data was processed. 


30. In other cases the forum might be provided free of charge or 
the person or organisation running the site might take much 
less of a role in moderating content. For example, members of 
many large social networking sites are able to add posts 
directly to the site without first having them checked by a site 
moderator. 


31. However, even if the content is not moderated before posting 
this does not necessarily mean that the person or organisation 
running the site isn’t a data controller. If the site only allows 
posts subject to terms and conditions which cover acceptable 
content, and if it can remove posts which breach its policies on 
such matters, then it will still, to some extent, be determining 
the purposes and manner in which personal data is processed. 
It will therefore be a data controller. 


Reasonable steps to ensure the accuracy of personal 
data 


32. If the person or organisation running the site is a data 
controller for the content that it allows third parties to post 
then it will need to comply with the following provisions of the 
DPA. 
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33. 


34. 


35. 


Schedule 1 
Part I 


4. Personal data shall be accurate and, where necessary, kept 
up to date. 


Schedule 1 
Part II 


7. The fourth principle is not to be regarded as being 
contravened by reason of any inaccuracy in personal data 
which accurately record information obtained by the data 
controller from the data subject or a third party in a case 
where - 


(a) Having regard to the purpose of purposes for 
which the data were obtained and further 
processed, the data controller has taken 
reasonable steps to ensure the accuracy of the 
data, and 


If the data subject has notified the data controller 
of the data subject’s view that the data are 
inaccurate, the data shall indicate that fact. 


Part IV 


70(2) For the purposes of this Act data are inaccurate if they 
are incorrect or misleading as to any matter of fact 


This means that when a data controller runs an online forum it 
has a responsibility to take reasonable steps to check the 
accuracy of any personal data that is posted on its site by third 
parties and is presented as a ‘matter of fact’. 


Expressions of opinion will not qualify as matters of fact. So, 
for example, a post which records someone’s age or date of 
birth may be ‘incorrect or misleading as to any matter of fact’, 
but a post which gives an opinion on how old someone looks 
cannot be. 


What are considered to be reasonable steps for the person or 
organisation running the site to take will depend on the nature 
of the site and how active a role the data controller takes in 
selecting, allowing or moderating content. There may also be a 
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higher expectation where children are the primary users of the 
site; for further information on this please read our Personal 


information online code of practice. 
36. 


Returning to The Law Society and Others v Rick Kordowski 
(Solicitors from Hell) [2011] EWHC 3185 (QB) discussed 
above. 


It was clear that it was Mr Kordowski who decided what 
content would and would not be included on the site and posts 
could not be made without his approval. He did not, however, 
claim to check the accuracy of the posts that he allowed, and 
the judge noted that “no suggestion is made by him that the 
words complained of are true or that they are honest opinion”. 


Although the data subjects had advised Mr Kordowski that 
they considered the posts about them to be inaccurate he had 
made no attempt to add this information to the site, or to 
remove the original postings. 


In the circumstances of this case, it is clear that the fourth 
principle of the DPA had been breached. Given the role Mr 
Kordowski adopted in deciding what content to publish, the 
steps he took to ensure accuracy were not reasonable. He also 
failed to indicate when data subjects disputed the accuracy of 
the posts. 


37. Our expectation of ‘reasonable steps’ would, however, vary 
depending on the individual circumstances of the case. For 
example, in a situation where the vast majority of the site 
content is posted directly by third parties, the volume of third 
party posts is significant, site content is not moderated in 
advance and the site relies upon users complying with user 
policies and reporting problems to the site operator, we would 
not consider that taking ‘reasonable steps’ requires the 
operator to check every individual post for accuracy. 


38. We would consider ‘reasonable steps’ for a data controller 
running this type of social networking site to include the 
following: 


e Having clear and prominent policies for users about 
acceptable and non-acceptable posts 
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e Having clear and easy to find procedures in place for 
data subjects to dispute the accuracy of posts and ask 
for them to be removed 


e Responding to disputes about accuracy quickly, and 
having procedures to remove or suspend access to 
content, at least until such time as a dispute has been 
settled. 


39. A person or organisation running such a site might wish to set 
up a mechanism which allows it to add a note to a post 
indicating that the data subject disputes its factual accuracy. In 
practice however, it will probably be more practical for the site 
to simply remove or suspend access to the disputed post in this 
type of situation. 


ICO involvement in complaints against those running 
social network sites, organisations and individuals 


40. We would expect a person or organisation running a social 
networking site or online forum to have policies in place that 
are sufficient to deal with: 


e complaints from people who believe that their personal 
data may have been processed unfairly or unlawfully 
because they have been the subject of derogatory, 
threatening or abusive online postings by third parties; 


e disputes between individuals about the factual accuracy 
of posts; and 


e complaints about how the person or organisation 
running the site processes any personal data (such as 
contact details) given to it by its users or subscribers. 


41. We will advise members of the public who approach us about 
any type of unfair or inaccurate posting about them to do one 
or more of the following in the first instance: 


e Follow the website’s procedure for dealing with inaccurate 
unfair or derogatory postings, 


e Contact the website administrator, 


e Take the matter up directly with the organisation or 
individual who has posted the personal data, if they feel 
this would be appropriate, 
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e If it is alleged that a posting is libellous, threatening or 
constitutes harassment then consider taking legal advice 
or contacting the police. 


42. The ICO will not consider complaints made against individuals 
who have posted personal data whilst acting in a personal 
capacity, no matter how unfair, derogatory or distressing the 
posts may be. This is because where an individual is posting for 
the purposes of their personal, family household or recreational 
purposes the section 36 exemption will apply. 


43. The ICO will consider complaints about posts made by 
businesses, organisations, or individuals acting for non- 
domestic purposes in the normal way, using a proportionate 
approach. Further information about our how we do this can be 
found on the Complaints page of our website. 


44. Where we believe it is necessary and proportionate in order to 
promote compliance with the DPA, we may work with a person 
or organisation running a site to ensure its policies and 
procedures for dealing with complaints and disputes about the 
content that it allows are adequate. Only where the person or 
organisation is a data controller will we consider complaints 
about a site’s failure to deal with an individual complaint. 


Other considerations 


45. Even if section 36 does not apply it is possible that another 
exemption might. 


46. As mentioned above there is an exemption at section 32 from 
certain provisions of the DPA. This would apply if a data 
controller posted personal data on an online forum 


e for one of the special purposes of journalism, art and 
literature; 


e in the reasonable belief that publication would be in the 
public interest; and 


e inthe reasonable belief that compliance with the 
provision of the DPA in question would be incompatible 
with the special purposes. 


47. Additional guidance on the section 32 exemption and the media 
is available on our guidance pages where you can also find 
information on other parts of the DPA. 
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48. You may also find it helpful to read our Personal Information 


49. 


50. 


online code of practice. 


Other legislation 


As well as considering compliance with the DPA, organisations 
and individuals that use or run online forums such as social 
networking sites need to make sure they comply with other 
relevant legislation such as: 


e the Protection from Harassment Act 1997; 
e the Communications Act 2003; 

e the European Convention on Human Rights; 
e the Malicious Communications Act 1988; 


e the common law of contempt of court and the Contempt 
of Court Act 1981; 


e section 4A of the Public Order Act 1986; 


e the common law of defamation and the Defamation Acts 
1952, 1996 and 2013 (note that section 5 of the 2013 
Act deals specifically with website operators). 


Further details of all current UK legislation can be found at 
http://www. legislation.gov.uk/ 


More information 


52. 


53: 


54. 


This guidance has been developed drawing on ICO experience. 
Because of this it may provide more detail on issues that are 
often referred to the Information Commissioner than on those 
we rarely see. The guidance will be reviewed and considered 
from time to time in line with new decisions of the Information 
Commissioner, Tribunals and courts. 


It is a guide to our general recommended approach, although 
individual cases will always be decided on the basis of their 
particular circumstances. 


If you need any more information about this or any other 
aspect of data protection, please contact us: see our website 
www.ico.org.uk. 
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